Vulnerability Management, Endpoint/Device Security, Network Security, Endpoint/Device Security, Endpoint/Device Security

FDA urges return of vulnerable, recalled Medtronic remote insulin pump controllers

Medtronic recalled MiniMed 508 insulin pumps over a number of vulnerabilities found in the device family. (“October 14 2007 day 2 – Insulin syringes” by DeathByBokeh is licensed under CC BY-NC 2.0)

Medtronic issued a notice of a product recall of its MiniMed 508 remote insulin pump controller, over a number of critical vulnerabilities found in the device family, which were first disclosed by the vendor in 2018.

The Food and Drug Administration identified it as a Class I recall, the most serious type of recall as it could cause injury or death. The impacted devices include all MiniMed Remote Controllers, model MMT-500 and MMT-503, which are used with the Medtronic MiniMed 508 insulin pump or other insulin pumps within the device family.

The devices were distributed from August 1999 until July 2018, when Medtronic discontinued their use due to the discovery of flaws that could lead to a host of nefarious — and dangerous — activities. The initial recall began on Aug. 7, 2018. The latest effort aims to ensure no other patients are using the flawed devices.

The first recall was directed to individuals whose insulin pumps were still covered by the warranty. Medtronic has expanded the recall to include any individual who may still be using the devices.

According to the FDA alert, the devices are designed to deliver insulin for management of diabetes for patients and include an optional remote controller device that can wirelessly communicate with the pump to deliver a specific amount of insulin to the patient.

The initial vulnerability alert from the Cybersecurity and Infrastructure Security Agency shed light on the flaws. For one, the communications between the pump and wireless activities are transmitted in clear text, which would let a “sufficiently skilled attacker” to capture the transmissions and steal sensitive data.

The second vulnerability is caused when the insulin pump is paired with a remote controller, with the “easy bolus” and “remote bolus” options enabled. In this scenario, the devices are vulnerable to a capture-replay attack: a hacker could capture the wireless transmissions between the controller and the pump and replay them to deliver insulin.

The FDA alert warns that an attacker could potentially record and replay wireless communications between the controller and the pump, and then instruct the device to over-deliver insulin or stop the delivery of insulin altogether, which could lead to diabetic ketoacidosis, high blood sugar, or even death.

“If you have never programmed a remote controller ID into the pump and never programmed the easy bolus option, you are not impacted by this vulnerability,” FDA officials explained. “To date, the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks.”

Those affected include individuals who use the remote controller feature with the named devices, or the health care providers who treat those with diabetes using remote controllers tied to the impacted pumps.

At the time of the initial disclosure, Medtronic urged all users to stop using the remote controllers and disable the remote option on the insulin pump, before returning the devices directly to the vendor. Medtronic also provided guidance for patients to ensure their safety, while requesting individuals cease using the devices. The remote option is turned off by default.

Medtronic is now warning anyone who may still be using the recalled devices or who’ve purchased an affected remote controller despite the expanded recall. Those individuals have been urged to stop using the remote controller and turn off the easy bolus feature.

The vendor also provided steps for safely disconnecting the remote controller from the insulin pump, as well as how to contact Medtronic to return the impacted device.

Until individuals are able to disconnect the remote controller from the pump, it’s imperative that the easy bolus function is disabled to minimize the cybersecurity risks. Those individuals should also pay acute attention to pump alerts, particularly when the easy bolus function is enabled.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.